Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement kes-period-info command #3459

Merged
merged 3 commits into from
Feb 7, 2022
Merged

Implement kes-period-info command #3459

merged 3 commits into from
Feb 7, 2022
+482 −52

Conversation

Jimbo4350
Copy link
Contributor

@Jimbo4350 Jimbo4350 commented Dec 20, 2021
edited
Loading

Resolves: #2551, #3257, #2558, #3556

Implement kes-period-info cli command that checks your operational certificate and certificate issue counter file are correct:

> cardano-cli query kes-period-info --testnet-magic 42  \
    --op-cert-file example/node-pool1/shelley/node.cert \
    --operational-certificate-issue-counter-file example/node-pool1/shelley/operator.counter
✓ The counters match what is in the node's protocol state
✓ The counters in the operational certificate and operational certificate issue counter file are the same
✓ Operational certificate's kes period is within the correct KES period interval
{
    "qKesNodeStateOperationalCertificateNumber": 6,
    "qKesCurrentKesPeriod": 404,
    "qKesOnDiskOperationalCertificateNumber": 6,
    "qKesRemainingSlotsInKesPeriod": 3760228,
    "qKesMaxKESEvolutions": 62,
    "qKesKesKeyExpiry": "2022-03-20T21:44:51Z",
    "qKesEndKesInterval": 434,
    "qKesStartKesInterval": 372,
    "qKesSlotsPerKesPeriod": 129600
}

It checks:

  • The counters in the operational certificate and operational certificate issue counter file are the same.
  • The counters match what is in the node's protocol state
  • The KES period in the operational certificate is correct (based on the current slot).

@Jimbo4350 Jimbo4350 force-pushed the jordan/node-configuration-checks branch 6 times, most recently from d429738 to 7871b22 Compare December 20, 2021 20:29
@Jimbo4350 Jimbo4350 marked this pull request as ready for review December 20, 2021 20:30
@Jimbo4350 Jimbo4350 changed the title KES Implement kes-period-info command Dec 20, 2021
@Jimbo4350 Jimbo4350 force-pushed the jordan/node-configuration-checks branch 2 times, most recently from 7316c57 to 2828edf Compare December 30, 2021 16:12
@Jimbo4350 Jimbo4350 force-pushed the jordan/node-configuration-checks branch 3 times, most recently from 11d1eca to 6d480c1 Compare January 13, 2022 12:47
@newhoggy
Copy link
Contributor

newhoggy commented Jan 13, 2022
edited
Loading

I did some more testing just now and am a little bit concerned about the presentation of the command:

For example when I run this against my stake pool:

CARDANO_NODE_SOCKET_PATH=... cardano-cli query kes-period-info --mainnet --op-cert-file node.cert --operational-certificate-issue-counter-file node.counter
Command failed: query kes-period-info  Error: Node operational certificate at: node.cert has an incorrectly specified KES period: 386 The correct KES period is: 389

I think if the KES period is behind, it is noteworthy, but not necessarily wrong to warrant an error.

For example a SPO might be worried their stake pool is not producing blocks, and try to use the command to verify if they've cycled their keys incorrectly. The command gives them an error that makes them feel like they've cycled their keys incorrectly, but they actually did it correctly, but they were just unlucky to not have produced blocks and the KES period is different only because the SPO is doing the query a few KES periods past when they cycled their keys.

Not sure if it's possible, a useful thing would be printing when the current KES keys will expire.

I think a good UI might look like this:

$ CARDANO_NODE_SOCKET_PATH=... cardano-cli query kes-period-info --mainnet 
 ✓ The counters in the operational certificate and operational certificate issue counter file are the same.
 ✓ The counters match what is in the node's protocol state
 ✓ The KES period in the operational certificate is correct and started on Thu 16 July 2021 01:45:18 AEDT
 ✘ Warning your operational certificate expires in two days on Fri 16 Jan 2022 01:45:18 AEDT

@Jimbo4350
Copy link
Contributor Author

I think if the KES period is behind, it is noteworthy, but not necessarily wrong to warrant an error.

For example a SPO might be worried their stake pool is not producing blocks, and try to use the command to verify if they've cycled their keys incorrectly. The command gives them an error that makes them feel like they've cycled their keys incorrectly, but they actually did it correctly, but they were just unlucky to not have produced blocks and the KES period is different only because the SPO is doing the query a few KES periods past when they cycled their keys.

I definitely agree with the UI change, it should be diagnostic.

@Jimbo4350 Jimbo4350 force-pushed the jordan/node-configuration-checks branch from 6d480c1 to 91057f8 Compare February 2, 2022 15:31
@Jimbo4350 Jimbo4350 force-pushed the jordan/node-configuration-checks branch 2 times, most recently from 0f451be to 7cb8931 Compare February 7, 2022 12:32
@Jimbo4350
Implement:

Verified

This commit was signed with the committer’s verified signature. The key has expired.
RomainMuller Romain Marcadier
GPG key ID: BB3E21324F18BCB1
Expired
Verified
Learn about vigilant mode
1e9a120 
 getHotKey to retrieve KES key from op cert
 getKesPeriod to retrieve the KES period from an op cert
 getOpCertCount to retrieve the count from an op cert
Modify readLeaderCredentialsSingleton to check that the supplied KES key
matches the KES key specified in the operational certificate
@Jimbo4350
Implent kes-period-info command in the cli. This command runs a series

Verified

This commit was signed with the committer’s verified signature. The key has expired.
RomainMuller Romain Marcadier
GPG key ID: BB3E21324F18BCB1
Expired
Verified
Learn about vigilant mode
f5d267f 
of checks on the specified node operational certificate that your stake
pool is currently using.
@Jimbo4350
Update min utxo value in register-stake-pool.sh

Verified

This commit was signed with the committer’s verified signature. The key has expired.
RomainMuller Romain Marcadier
GPG key ID: BB3E21324F18BCB1
Expired
Verified
Learn about vigilant mode
6a1baea
@Jimbo4350 Jimbo4350 force-pushed the jordan/node-configuration-checks branch from 7cb8931 to 6a1baea Compare February 7, 2022 13:25
@Jimbo4350
Copy link
Contributor Author

bors r+

@iohk-bors
Copy link
Contributor

iohk-bors bot commented Feb 7, 2022

Build succeeded:

@iohk-bors iohk-bors bot merged commit 16de685 into master Feb 7, 2022
@iohk-bors iohk-bors bot deleted the jordan/node-configuration-checks branch February 7, 2022 14:32
@wutzebaer
Copy link

Wohoo whan will it be released?

@saratomaz saratomaz mentioned this pull request Feb 18, 2022
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@newhoggy newhoggy

@DavidEichmann DavidEichmann

@dcoutts dcoutts

@erikd erikd

@JaredCorduan JaredCorduan

@nc6 nc6

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[FR] - Prevent block-producer node to start with Invalid KES (InvalidKesSignatureOCERT)
3 participants
@Jimbo4350 @newhoggy @wutzebaer